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(54) Network routing using an untrusted router 

(57) A trusted guard unit is used in a red/black se- 
cure environment to enable an untrusted router to be 
used to generate routing information for confidential da- 
ta. The trusted guard generates a dummy message by 
substituting dummy data for confidential data in a mes- 
sage to be routed from a red environment to a black en- 
vironment. The dummy message is sent to an untrusted 



router to generate routing information for use In routing 
the confidential data, but without the untrusted router 
receiving the confidential data. Another trusted guard 
receives from the router the dummy message with the 
routing information, and substitutes the confidential data 
for the dummy data in the dummy data message to gen- 
erate a transmission frame to send to a destination 
node. 
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Description 

BACKGROUND OF THE INVENTION 
Field of the Invention 

[0001] The invention relates to network communica- 
tions methods and systems. More particularly, it relates 
to routing data of multiple levels of security in a data 
communication network. 

Description of the Related Art 

[0002] Over the past several years the world has wit- 
nessed tremendous advances in commercial network- 
ing technologies. Many of the advances concern routing 
techniques and devices used In commercial networks, 
and networks of networks often referred to as the Inter- 
net Typically, commercial routers are used in unse- 
cured environments, at least from a data perspective. 
That Is, commercial routers have been developed for 
commercial use without regard to supporting Informa- 
tion classified according to multiple levels of security. Al- 
though commercial routing devices typically undergo 
many reliability and quality tests, they are not designed, 
nor are they tested, with the goal of handling multiple 
levels of security classification. 
[0003] In contrast to commercial environments, net- 
working devices for use in military applications are often 
required to support multiple levels of security classifica- 
tion. Multilevel security (MLS), according to the Nations! 
Information Systems Security (INFOSEC) Glossary, 
NSTISSI No. 4009, January 1999 (Rev. 1), is a concept 
of processing information with different classifications 
and categories that simultaneously permits access by 
users with different security clearances and denies ac- 
cess to users who lack authorization. Multilevel security 
and MLS, as used here, encompass simultaneous ac- 
cess by users with different levels of access authority 
that Is not necessarily limited to a national security clear- 
ance level. 

[0004] Information classified according to a govern- 
ment or military organization's security classification is 
referred to here as classified information. Information 
used In a commercial environment and to which access 
is to be Dmited is referred to as proprietary Information. 
More generally, confidential Information refers to infor- 
mation to which access is to be limited and encompass- 
es both classified and proprietary information. 
[0005] In an MLS environment, it is Important to use 
a trusted computing system, which refers to the totality 
of protection mechanisms within a computer system, in- 
cluding hardware, firmware, and software, that Is, the 
combination responsible for enforcing an organization's 
security policy. In many trusted computing systems that 
process sensitive or classified information, especially 
national security Information, Information systems* se- 
curity methods and devices are used to protect the in- 



formation systems against unauthorized access to or 
nwdification of information, whether in storage, 
processing or transit, and against the denial of service 
to authorized users, including those measures neces- 

5 sary to detect, document and counter such threats. 
Such information systems often employ red/black con- 
cepts and techniques. "Red/black" refers to separation 
of electrical and electronic circuits, components, equip- 
ment, and systems that handle national security infor- 

io mation (red) in electrical form from those that handle 
non-national security Information (black) in the same 
form, as described in the National INFOSEC Glossary, 
Devices and software components that operate in a red 
environment for processing classified data undergo ex- 

15 tensive testing to ensure the integrity of the classified 
data passing through those components. Such testing 
can be very lengthy and very expensive. 
[0006] Unfortunately, because of the extensive de- 
sign and testing to ensure the integrity of red data, many 

so military computing systems have not been able to take 
full advantage of the tremendous advances in routing 
technology taking place in the commercial networking 
world. Accordingly, there is a need to use commercial 
networking equipment, particularly network routers, in 

25 computing environments that must support MLS sys- 
tems, yet without requiring the extensive testing to cer- 
tify that equipment to process red data. Hence, there is 
a need to employ untrusted commercial network routers 
In computing systems that handle multilevel security da- 

30 ta. 

[0007] A Joint Tactical Radio System (JTRS) software 
radio Is an example of equipment that must operate in 
a MLS environment. A software radio Is a radio that uses 
computer software to perform a variety of functions in 

35 the process of converting voice or data information to 
and from a radio frequency (RF) signal. The architecture 
of the JTRS software radio is designed, as shown in Fig. 
1 , In a modular manner in order to use commercial-off- 
the-shelf {COTS) components and thereby leverage 

40 COTS development and reduce the overall develop- 
ment costs of the JTRS software radio. The architecture 
depicted in Fig. 1 is a conceptual diagram Illustrating 
major functional units, and does not necessarily illus- 
trate physical relationships. 

45 [0008] The software radio notional architecture 
shown in Fig. 1 Includes a red critical system intercon- 
nect (CSI) 1 and a black CSI 2. The red CSI couples 
functional entity interfaces (FEI), such as a user inter- 
face 3 or a network interface 4, to various red FEI units. 

so Those units can include a human-computer Interface 
(HCI) 5, a red system control unit 6, an internetworking 
unit 7 and an information security ( I N FOS EC) unit 8. The 
red CSI allows various types of red FEI units to be used 
on the red side of the radio. For example, the internet- 

ss working unit 7, the red system control unit 6 and the HCI 
5 can all reside on a single processor board 9, such as 
a Pentium class microprocessor circuit board that con- 
nects to the red CSI. 
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[0009] ThelNFOSECunft8connect8totheblackCSI 
on the black side of the software radio, and to the red 
CSI on the red side of the radio, and forms a boundary 
between the red and black environments. Connected to 
the black CSI are an antenna I/O interface unit 10 for s 
sending end receiving RF signals, RF units 1 1 , modems 
1 2, and various other black side processes 13. Also, a 
user Interface 1 4 can be connected to the black CSI as 
shown in Fig. 1. The black CSI allows various types of 
COTS functional entity interface units to be used in the 
software radio, such as various types of commercial mo- 
dems, for example. 

[0010] The internetworking unit 7 includes a routerfor 
routing messages, received from the user Interfaces on 
the red side of the radio or received over the air after 
black side INFOSEC processing, to destinations on ei- 
ther the red or black sides of the radio. For destinations 
on the black side of the radio, the router must send the 
messages through the INFOSEC 8. 
[0011] A multiple-Input, multiple-output information 
system capable for use in the JTRS software radio Is 
shown in Fig. 2 in which the INFOSEC unit 15 forms a 
boundary between red and black environments. On the 
black side of the system the INFOSEC Interfaces with 
Input/output channels 1 through N. Similarly, on the red 
side of the system the INFOSEC interfaces with corre- 
sponding input/output channels 1 through N that con- 
nect to a muter 1 6. The router 1 6 is coupled to a plurality 
of users, here, user 1 through user M. in such an envi- 
ronment the data streams may be at different security/ 
compartment levels if it is a government Information sys- 
tem, or the data steams may belong to different commu- 
nities of interest If In a commercial environment. 
[001 2] The router 1 6 receives data, either from a user 
or from one of the channels, and routes it to the appro- 
priate destination. For example, user 1 may send a mes- 
sage addressed to a destination reached using channel 
N. The router 16, using routing tables and routing algo- 
rithm software, receives the message from user 1 and 
based on the address determines a route over which to 
send the message. This entails attaching routing infor- 
mation to the message and outputting the message over 
the channel the router determines services the chosen 
route. The router 1 6, through the use of its routing tables 
and algorithms, determines that the message Is to be 
output on channel N, for example. Accordingly, the rout- 
er outputs the message on channel N with the added 
routing Information attached to the message. Similarly, 
when the router receives a message on one of the N 
channels, it examines the routing information in the re- 
ceived message, determines the user or channel to 
which to send the message, and outputs the message 
to that user or channel. Because the router 16 receives 
data streams that may be at different security/compart- 
ment levels (government system) or may belong to dif- 
ferent communities of interest (commercial system), the 
router in Fig. 2 must be tested to ensure It can be trusted 
with those data streams. 



[0013] It is highly desirable to use standard commer- 
cial software for the router because of the rapid techno- 
logical advances and routing evolution occurring in the 
co m m er cial sector. However, commercial routing soft- 
ware does not undergo the rigorous and extensive test- 
ing required to certify It as trusted and therefore a com- 
mercial router has no level of trust Yet, there is a strong- 
ly felt need to develop an approach that uses commer- 
cial routing techniques and software in an MLS environ- 
ment and guarantees that data from one security level 
will not get released to users or networks at a different 
level without following the safeguards specified by the 
information system's security policy. 



[0014] Therefore, In light of the above, and for other 
reasons that will become apparent when the Invention 
is fully described, an object of the invention Is to use a 
router that has not been certified to process data of mul- 
tiple security levels, to provide routing information for a 
message containing confidential data. 
[001 5] A further object of the invention is to use rout- 
ing information from an untrusted router to route confi- 
dential data without sending that data to the router. 
[001 6] Yet another object of the invention is to gener- 
ate a transmission frame by combining routing informa- 
tion from a dummy message sent to a router, with con- 
fidential information to be transported using the trans- 
mission frame. 

[0017] A still further object of the invention is to obtain 
routing information from a router that is not certified to 
handle information of multiple levels of security without 
sending confidential information to the router. 
[001 8] The aforesaid objects are achieved individual- 
ly and in combination, and It is not intended that the in- 
vention be construed as requiring two or more of the ob- 
jects to be combined unless expressly required by the 
claims attached hereto. 

[0019] A method in accordance with the invention 
routes a data message containing confidential informa- 
tion, by substituting dummy information for the confiden- 
tial Information in the message. The message is sent 
with the dummy information to a routerfor adding routing 
information to the message, and the confidential Infor- 
mation is elsewhere substituted for the dummy informa- 
tion in the message containing the routing information. 
[0020] A trusted guard apparatus, according to the in- 
vention, sends a data message to a router, in which the 
data message has information classified at a first secu- 
rity level. The apparatus includes a source authentica- 
tion unit configured to receive the data message con- 
taining the information classified at the first security lev- 
el, and to add to the data message source information 
concerning the source of the data message. The appa- 
ratus also includes a data Integrity unit coupled to the 
source authentication unit and configured to transform 
the information classified at the first security level to In- 
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DETAILED DESCRIPTION 



dude information for determining the integrity of the in- 
formation classified at the first security level. It also in- 
cludes a data substitution unit coupled to the source au- 
thentication unit and configured to generate a dummy 
data message by substituting dummy data for the infor- 
mation classified at the first security level, and output- 
ting the dummy data message to the router. 
(0021] A transmission frame for delivering confiden- 
tial data to a destination node, according to the inven- 
tion, includes a dummy data field containing dummy da- 
ta, classified at a first security level, substituted for con- 
fidential data classified at a second security level differ- 
ent from the first security level. The transmission frame 
also Includes a message header field containing Infor- 
mation Identifying the destination node, and a routing 
field containing routing information for use in routing the 
transmission frame to the destination node. 
[0022] The above and still further objects, features 
and advantages of the invention will become apparent 
upon consideration of the following descriptions and de- 
scriptive figures of specific embodiments thereof. White 
these descriptions go into specific details of the inven- 
tion, it should be understood that variations may and do 
exist and would be apparent to those skilled in the art 
based on the descriptions herein. 

BRIEF DESCRIPTION OF THE DRAWINGS 

[0023] 

Fig. 1 is a block diagram illustrating an architecture 
of a software radio. 

Fig. 2 is a block diagram of a portion of a computing 
system, such as the software radio of Fig. 1 , using 
a router and an INFOS EC. 
Fig. 3 Is a block diagram of a computing system us- 
ing an untrusted router in combination with an IN- 
FOSEC and a trusted guard unit. 
Fig. 4 is a diagram showing a detailed view of a 
trusted guard unit A. 

Fig. 5 is a flowchart illustrating a process of routing 
data according to the invention. 
Fig. 6 is a brock diagram of a computing system us- 
ing an untrusted router, a trusted guard unit and 
showing data flows according to certain aspects of 
the invention. 

Fig. 7 is a detailed view of a trusted guard with a 

dummy message generator. 

Fig. 8 Is a detailed view of a trusted guard unit that 

combines routing information from an untrusted 

router with signed data from another trusted guard 

unit. 

Figs. 9A-D are diagrams of data packets at various 
stages of a routing process according to aspects of 
the invention. 

Fig. 10A-G are diagrams illustrating various data 
flows in a software radio. 



[0024] Preferred embodiments according to the 
present invention are described below with reference to 
5 the above drawings, in which like reference numerals 
designate like components. 

[0025] When dealing with data processed by untrust- 
ed software between a source and a destination, It is 
necessary to prove at the destination point that the 

io source information is accurate (source authentication) 
and that the data has not been modified (data integrity), 
if source authentication and data Integrity are provided 
at the source and destination by trusted software ancV 
or hardware entities, referred to here as trusted guards, 

k then the untrusted router cannot interfere undetected 
with that information that is sent from the source to the 
destination and the trusted entities can enforce the com- 
puting system's security policy. 
[0026] Fig. 3 is a block diagram showing a trusted 

20 guard A 1 7 coupled with users 1 through M and coupled 
to ports 1 through M of the router 16. Another trusted 
guard B 18 is coupled to channels 1 through N of the 
router 16 and to the INFOSEC 15. Trusted guard B can 
be Included as part of the INFOSEC 15. 

25 [0027] A block diagram of trusted guard A is shown in 
Fig. 4. The trusted guard of Ftg. 4 includes a labeling 
unit 1 9, a secure hashing algorithm (SHA) unit 20, a dig- 
ital signature (DSS) unit 21 and a signature application 
unit 22. To provide source authentication the trusted 

30 guard's labeling unit 19 receives user data and source 
Information and uses that information to attach a label 
to the data at its source. The label can include Informa- 
tion about the source, such as, for example, a channel 
number, a security level, a packet number, the length of 

35 the packet and/or a time-of-day label. Further, if assur- 
ance requirements so dictate, the trusted guard can add 
other information to the data such as a packet number, 
a time stamp or a unique identifier such as an identifier 
cryptographically generated by a trusted guard. The 
trusted guards are initialized by the INFOS EC, prefera- 
bly at the time of powering on the trusted guards. For 
example, the INFOSEC can initialize the trusted guards 
to operate at a specific security level depending on the 
guard's certification. The information provided by the la- 

<5 beling unit can be set at initialization. The SHA unit 20 
can be used to reduce the amount of data by applying 
a hash algorithm to the labeled data and thereby reduce 
the computational complexity of the digital signature 
evaluation. Hashing can be used to reduce the complex - 

so rty of using digital signatures, although It need not be 
used to practice the invention. The trusted guard can 
use well-known techniques to provide data integrity 
when sending data between trusted guards, such as by 
applying a digital signature to the labeled data. For ex- 

S5 ample, a digital signature can be a number computed 
from the data being signed. An example of a digital sig- 
nature is a check-sum computed from the data and la- 
bel. Generally, however, a cryptographic procedure is 
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used instead of a checksum, to ensure that a signature 
cannot be modified. An example of such a cryptographic 
procedure that can be used to ensure the Integrity of the 
data is the AFI PS-specified Digital Signature (DSS) 
which is based on Public Key Encryption. Hie DSS unit 
21 shown tnFkj.4 determines and outputs such a digital 
signature for the labeled data. The signature application 
unit 22 applies the signature to the labeled data received 
from the labeling unit 19, and outputs the labeled data 
with the signature as signed data. The trusted guard B 
18, connected to the INFOSEC as shown in Fig. 3, re- 
ceives the signed and labeled data from the router 1 6, 
authenticates I and verifies its integrity by using the sig- 
nature and label in the data. 
[0028] The trusted guard system shown In Fig. 3 
would suffice for routing messages to their destinations 
and ensuring that the security of the data is not compro- 
mised, If the untrusted router 16 were not allowed to 
generate data If that were the case, and the router not 
allowed to generate data, the router would not be able 
to masquerade as a data source since the router could 
not generate signed data, as the source and destination 
are trusted and are the only ones that have the keys 
required by the DSS unit. However, the router 16 must 
be allowed to generate data, such as routing tables, and 
transmit them to other routers. Accordingly, the ap- 
proach of labeling, hashing and signing data is insuffi- 
cient to ensure that the router 1 6 cannot, through mali- 
cious or faulty software, hold on to data and then trans- 
mit that data as part of its own data transmissions, since 
that might cause data at a higher classification level to 
be released to users who are not authorized to see that 
data. 

[0029] The Invention allows a router w&h untrusted 
software to be used in an MLS environment, yet ensures 
that the router does not release data from one security 
level to users or networks at a different level This in- 
volves diverting data around the router that has the un- 
trusted software, while using the router to supply routing 
Information. An overall general process for using an un- 
trusted router in an MLS environment is illustrated in Fig. 
5. The process begins by trusted guard A receiving a 
message routed from a data source (23). The data in 
the message, which might be confidential and classified 
with a security level higher than a security level at which 
the router Is certified, is removed and replaced with 
dummy data, such as a predetermined pattern of char- 
acters that is non-confidential (24). Alternatively, a pseu- 
do random pattern can be cryptograph icaPy generated 
by the sending guard and validated by the receiving 
guard. The message with the dummy data (i.e., a dum- 
my data message) is sent to the router 16. and the data 
removed from the message is directed around the un- 
trusted router 1 6 and sent to trusted guard B to eventu- 
ally match it with the dummy message once the router 
16 determines the routing information (25). The router 
16 receives the dummy message, determines a route 
for it to travel to reach Its Intended destination, and ap- 



pends to the dummy message routing information spec- 
ifying such a route (26). The router sends the dummy 
message with the routing Information to trusted guard B 
where the data is diverted (27). Trusted guard B then 

5 replaces the dummy data in the message to which the 
routing Information is appended with the data from the 
data source (28). Trusted guard B then sends the recon- 
structed message according to the routing information 
supplied by the router (29). In this manner, a router 16 

10 with untrusted software Is used to supply routing infor- 
mation without the untrusted router receiving data from 
the data source. 

[0030] The operation of the untrusted router system 
of Fig. 3 Is modified to perform a data diversion tech- 

15 nique, as illustrated in Fig. 6. In the system shown in 
Fig. 6 a trusted guard A 30, coupled to users 1 through 
M and to the router, receives a message with data for 
delivery to a destination specified by an address In a 
header of the message. A detailed view of trusted guard 

20 A 19 Is shown In Fig. 7. In addition to the trusted guard 
shown in Rg. 4, trusted guard A 30 also includes a dum- 
my message generator 32. Trusted guard A 30, as de- 
scribed above, labels and applies a signature to the da- 
ta. Alternatively, the trusted guard A compresses the la- 

25 beted data using a hash algorithm or another data com- 
pression technique. Trusted guard A 30 sends the 
signed data (i.e., data + label + signature) over a trusted 
path that does not include the router, to a trusted guard 
B 31 that is coupled to the router 16 and INFOSEC 15. 

30 The dummy generator 32 receives the message sup- 
plied to trusted guard 30 from the user and replaces the 
data in the message with non-confidential dummy data 
that is classified at a security level the same as or lower 
than the security level of the router, and retains any 

35 headers in the message. An example of such non-con- 
fldentlal data is a predetermined pattern of characters 
or a pseudo random pattern that is cryptographically 
generated. Alternatively, the dummy message genera- 
tor 32 can receive the message at any point in the trust- 

40 ed g uard , so long as the message's header remains in- 
tact. Trusted guard A 30 then outputs the dummy mes- 
sage having the headers and non-confidential dummy 
data, to the router 16. 

[0031] The router 16 receives the dummy message 
45 and based on the headers in the message determines 
a route for delivering the message to the intended des- 
tination. The router 1 6 then applies to the dummy mes- 
sage routing information specifying the determined 
route. For example, the router can apply the routing in- 
5o formation by appending it to the dummy message. The 
router 16 then outputs the dummy message with the 
routing information to trusted guard B 31 . 
[0032] Trusted guard B 31 is shown in detail in Fig. 8 
and includes a dummy message receiving unit 33, a 
55 signed data receiving unit 34, a message reconstruction 
unit 35, and an output unit 36. Signed data receiving unit 
34 receives the signed data sent from the trusted guard 
A 30 and sends it to the message reconstruction unit 35 
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which holds It unti the dummy message receiving unit 
33 receives the corresponding dummy message from 
the router 1 6. The message reconstruction unit 35 then 
receives the signed data, matches headers, and replac- 
es the dummy data with the signed data to form a re- 
constructed message. The reconstructed message in- 
cludes the routing information, any original message 
headers and the signed data. The output unit 36 then 
outputs the reconstructed message to the INFOS EC 1 5, 
which performs conventional red/black isolation func- 
tions, and forwards the message to the intended desti- 
nation along a path specified by the routing information. 
[0033] Since the source and destination are trusted 
and are the only ones that have the keys required by the 
digital signature algorithms, the destination upon receiv- 
ing the message uses its keys to unhash and authenti- 
cate the message. In this manner the message is routed 
and verified at the destination. 
[0034] Trusted guard A can include the same struc- 
ture and perform the same functions as trusted guard 
B, shown In Fig. 8, where trusted guard A also receives 
data fromanothertrusted guard. Likewise, trusted guard 
B can include the same structure and perform the same 
functions as trusted guard A, shown in Fig. 7, where 
trusted guard B also sends data to another trusted 
guard. 

[0035] Figs. 9A-9D show examples of messages sent 
from the source through the trusted guard A and the un- 
trusted router to the INFOSEC. A user, for example user 
1 shown In Fig. 6, sends a message shown in Fig. 9A 
that contains data 38 that could be confidential and clas- 
sified at a security level higher than a level at which the 
router Is certified. The message in Fig. 9A also includes 
standard headers (HDR) 37 attached to the confidential 
data according to the networking protocols in use. Trust- 
ed guard 30, upon receiving the confidential data sub- 
stitutes dummy data 39 for the confidential data and 
sends a dummy message, shown In Fig. 9B, to the rout- 
er 16. The router 16, upon receiving the dummy mes- 
sage adds a routing header 40 to the dummy data 39 
and header 37. The routing header 40 includes routing 
information for routing the message to the destination. 
The router 1 6 sends the dummy data message with the 
routing header, shown in Fig. 9C, to trusted guard B 31 
by way of the appropriate channel according to the de- 
termined route. 

[0036] Trusted guard A 30 sends the confidential data 
3B that has been separated from the original message 
to trusted guard B 31. As discussed above, trusted 
guard A 30 can apply a hashing function to the confi- 
dential data, and can also apply a digital signature to the 
data. Trusted guard A 30 sends the signed confidential 
data to trusted guard B 31 by way of a trusted path sep- 
arate from the router 

[0037] Trusted guard B 31 matches the signed data 
with the dummy message received from the router that 
contains the routing header 40. Trusted guard B 31 sub- 
stitutes the signed confidential data 38 received from the 



trusted guard A 30 for the dummy data 39 contained in 
the message received from the routert 6. Thus, trusted 
guard B 31 forms the message, or transmission frame, 
shown in Rg. 9D that includes the routing header 40 that 

5 contains the routing information for delivering the mes- 
sage to the intended destination, the original headers 
37 and the confidential data 38. Trusted guard B 31 then 
sends the message shown In Rg. 9D to the INFOSEC 
for transmission to the destination along the determined 

w route. The process described above also operates in the 
reverse direction. When information arrives from chan- 
nels 1 through N it is provided to one of the users 1 
through M. In that case, trusted guards A and B operate 
with their roles reversed. 

15 [0038] The trusted guards described above can be 
used in a variety of data flow scenarios for delivering 
data both to the red side and the black side of INFOSEC 
15. Various such data flows are shown In Figs. 10A 
through 1 0G, in which the data flows represented by a 

20 solid line designate messages that contain data from a 
source, such as red data from a user. The dashed lines 
depict data flow of messages containing dummy data. 
[0039] The data flow shown in Fig. 1 0A depicts a mes- 
sage originating from the red side of the INFOSEC and 

25 flowing to a destination on the black side. Here, a user 
A sends a message containing red data through the user 
A's I/O device 3A to a trusted guard 30A and over the 
red bus 1 to trusted guard 31 to INFOSEC 15 for delivery 
to a destination over black bus 2. In the manner de- 

3o scribed above, trusted guard 30A substitutes dummy 
data for the red data in the message to create a dummy 
message. Trusted guard 30A sends the dummy mes- 
sage to untrusted router 1 6 which adds routing informa- 
tion to the dummy message, as depicted by the dashed 

6 One. The router 1 6 sends the dummy message with the 
routing information to trusted guard 31 . Meanwhile, 
trusted guard 30A sends the message data to the trust- 
ed guard 31 across red bus 1 , as depicted by the solid 
Dne. Trusted guard 31 then reconstructs the message 

40 by combining the routing Information in the dummy mes- 
sage with the red data received from trusted guard 30A. 
Trusted guard 31 then sends the reconstructed mes- 
sage to the INFOSEC for delivery to a transmitter on the 
black bus 2. 

45 [0040] Data flowing In the reverse direction is shown 
in Fig. 1 0B. Here, a message sent from a source outside 
the local red environment shown in Rg. 1 0B Is received 
by INFOSEC 15 from black bus 2. In the case of the 
JTRS software radio the message, likely in the form of 

so a data packet, is received by the radio's antenna and 
demodulated on the black side of the INFOSEC 1 5. The 
demodulator forwards the message to the INFOSEC 1 5 
over the black bus 2 and the INFOSEC 15 passes the 
received message to trusted guard 31. The trusted 

55, guard 31 generates a dummy message with the header 
information from the received message and dummy da- 
ta substituted forthe data in the message, and forwards 
the dummy message to untrusted router 1 6, as depicted 
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by the dashed One. The INFOS EC 15 decrypts the mes- 
sage's data and passes the decrypted data to trusted 
guard 31. The router 16 returns the I/O address (or the 
destination to the trusted guard 31. tn the example 
shown in Fig. 1 0B the router returns the I/O address for 
user A's I/O device 3A. The trusted guard 31 then veri- 
fies the messages destination, and assembles the de- 
crypted data with the header information returned from 
the router. Before sending the decrypted data to the des- 
tination IAD device Indicated by the header Information 
returned from the router, the trusted guard 31 verifies 
that the Indicated destination is authorized to receive in- 
formation at the security level of the decrypted data. 
Once verified the trusted guards 1 hashes and signs the 
message and sends the assembled message with the 
decrypted data to the destination I/O device via the red 
bus 1 , here, user A's I/O device 3A, as depicted by the 
solid line. 

[0041] Alternatively, the data flow shown in Fig. 10B 
can be achieved by router 16 forwarding the dummy 
message to the trusted guard servicing the destination 
I/O device as shown in Fig. 1 0C. Here, trusted guard 31 
places the data from the received message on the red 
bus 1 with some type of identifier, such as, for example, 
a packet number, date/time stamp, etc. The dummy 
message generated by trusted guard 31 would have the 
same Identifier (e.g., packet number, date/time stamp, 
etc.). All trusted guards on red bus 1 would seethe data 
placed on the red bus, but only the guard(s) to which the 
dummy message is sent will take the data off the red 
bus and supply It to the respective user I/O device. The 
trusted guard(s) that receive the dummy message can 
detect the corresponding data on the red bus by match- 
ing the identifiers (e.g., packet number, date/time stamp, 
etc.) In the example shown in Fig. 10C, user A's I/O de- 
vice 3A receives the dummy message thus indicating 
that it is to receive the data placed on the bus. Trusted 
guard 30A then matches identifying information from the 
dummy message with the data on the red bus, and if 
there is a match ft takes the data off the red bus, authen- 
ticates it and supplies the data to user A's I/O device 3A. 
The other trusted guards ignore the data on the red bus 
because they did not receive the dummy message from 
the router 1 6. The other trusted guards also ignore the 
data, if the data is labeled, because the attached label 
does not indicate that the data is destined for them. 
[0042] Fig. 10D depicts a data flow for the case in 
which a message is routed only within the red environ- 
ment of the communication system. In Fig. 10D user A 
sends a message, via user A's I/O device 3A, to user B. 
Trusted guard 30A receives the message from user A's 
I/O device 3A and substitutes dummy data for the red 
data In the message. The dummy message is sent to 
untrusted router 1 6 for application of routing information 
to the message, as depicted by the dashed line. Trusted 
guard 30A sends the message's red data to the IN- 
FOSEC 15 by way of trusted guard 31. The router 16 
adds routing Information to the dummy message and 



then sends It to the trusted guard that services IN- 
FOSEC 15, La, trusted guard 31 . If the message* des- 
tination is tocai, that Is, within the red environment 
shown In Fig. 1 00, and the encryption requirements are 

5 the same for both users (e.g., not requiring radio trans- 
mission), then the message need not be sent to IN- 
FOSEC 15 for encryption/decryption services. Accord- 
ingly, trusted guard 31 reconstructs the message by as- 
sembling the red data with the header information ra- 
re ceived from the untrusted router 16 that contains the 
routing information. Trusted guard 31 forwards the re- 
constructed message data and header to the destina- 
tion user I/O device indicated in the routing information, 
as depicted by the solid line. In the example shown in 

15 Fig. 10D the message is destined for user B, and ac- 
cordingly, the reconstructed message is forwarded to 
user Ps I/O device 3B via trusted guard 30B. Before 
allowing the message data to be released to user B's V 
O device, the trusted guard 30B verifies that the data in 

20 the message is at the proper classification level for the 
destination indicated by the routing information. 
[0043] Alternatively, in situations where security ac- 
cess controls do not require the function of INFOSEC 
1 5, the message can be routed without sending the data 

25 to either the router 1 6 or the INFOSEC 1 5. In that case, 
depicted In Fig. 1 0E, when sending a message between 
users in the same red environment the untrusted router 
1 6 upon receiving the dummy message and determining 
the appropriate routing information can notify the destl- 

30 nation trusted guard, in this example, trusted guard 30B , 
that the message is intended for user B. The router 16 
can notify the destination trusted guard by sending it the 
dummy data message, as shown by the dashed line in 
Fig. 10E, with the routing information included in that 

35 message. This notification can occur by the router 16 
routing the dummy data message to the destination. 
When the source trusted guard, in this example, trusted 
guard 30A, substitutes dummy data for the message da- 
ta, it can place the message data on the red bus 1 for 

to all trusted guards to see, as shown by the solid line. As 
described above, trusted guard 30A can add identifying 
information to both the dummy data message and the 
message data to facilitate later matching. Only the trust- 
ed guard receiving the dummy data message from the 

4s router, here trusted guard 30B, will then Identify the data 
on the red bus 1 as matching the dummy data message 
and take the message data off of red bus 1 . The desti- 
nation busted guard can verify and authenticate the da- 
ta, and aOow the message data to be passed to user B 

50 only ff user B is authorized to access the message data. 
[0044] Another data flow example is shown In Rg. 
1 0F. In this example the data path is the same as shown 
in Fig. 10D except the ericryption/decryption require- 
ments are different. That is, here, user A sends a mes- 

55 sage intended for user B. however the message must 
be encrypted due to channel setup requirements desig- 
nated at instantiation. Here, trusted guard 30A sepa- 
rates the message data from the message's header In- 
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formation and uses that header information to generate 
a dummy message containing dummy data. The dummy 
message, wfth the message's header information, is 
sent to untrusted router 16 to add routing information, 
as shown by the dashed tine. The message data is sup- 
plied to iNFOSEC 15 via trusted guard 31 , as shown by 
the so fid line. The untrusted router, upon determining 
the appropriate route, provides the routing information 
to trusted guard 31 , preferably in the form of routing in- 
formation added to the header of the dummy message. 
The untrusted router 16 then sends the dummy mes- 
sage to trusted guard 31 , as depicted by the dashed line. 
In this example the message must be encrypted or de- 
crypted since the user's encryption/decryption require- 
ments are different INFOSEC 15 performs the appro- 
priate encrypttorVdecryption on the message data ac- 
cording to the channel setup requirements for users A 
and B, and supplies the appropriately encrypted or de- 
crypted message data to trusted guard 31. Trusted 
guard 31 then adds the routing Information supplied by 
untrusted router 16 to the message data that is to be 
delivered to user B, thereby reconstructing the mes- 
sage. The trusted guard 31 sends the reconstructed 
message to user B according to the routing information, 
as depicted by the solid line. Trusted guard 30B receives 
the reconstructed message and verifies and authenti- 
cates the message before supplying it to user B's I/O 
device 3B. 

[0045] Alternatively, the data flow depicted In Fig. 1 0F 
can be accomplished In other ways. For example, as 
shown in Fig. 1 0G, trusted guard 30A can send the mes- 
sage data to the INFOSEC 15, as depicted by the solid 
line, for encryption/decryption. The INFOSEC 15, after 
encrypting/decrypting the message data, can place that 
data on red bus 1 via trusted guard 31. The router 16 
can notify the destination trusted guard of the message, 
such as by sending the dummy message to the desti- 
nation trusted guard, in this example, trusted guard 30B, 
as depicted by the dashed line. The destination trusted 
guard, here, trusted guard 30B, upon receiving the dum- 
my message matches identifying information in the 
dummy message with identifying Information In the data 
on the red bus. If they match trusted guard B takes the 
encrypted/decrypted data off of red bus 1 . Trusted guard 
30B then verifies and authenticates the message data 
and supplies it to user B*s I/O device if it* s security level 
is adequate for the security classification of the mes- 
sage data. 

[0046] It will be understood that the functions of the 
trusted guards, and the units within the trusted guards 
such as the units shown in Figs. 7 and 8, can be per- 
formed using computer programs controlling computer 
hardware and firmware. It will also be understood that 
such computer programs can be recorded on computer- 
readable media, such as magnetic and optical disks, 
and can be transmitted in a computer-readable signal. 
[0047] Having described preferred embodiments of 
network routing using an untrusted router, it is believed 



theft other modifications, variations and changes will be 
suggested to those skilled in the art In view of the teach- 
ings set forth herein. It is therefore to be understood that 
all such variations, modfficaliona and changes are be- 

5 Deved to fall within the scope of the present invention as 
defined by the appended claims. Although specific 
terms are employed herein, they ere used in their ordi- 
nary and accustomed manner only, unless expressly de- 
fined differently herein, and not for purposes of limita- 

w tion. 



Claims 

1. A method of generating a transmission frame for 
routing a first message, the first message having a 
header and first data, the method comprising: 

generating a second message by substituting 
20 second data for the first data in the first mes- 

sage; 

adding routing information to the second mes- 
sage; and 

generating the transmission frame by substitut- 
es Ing the first data for the second data In the sec- 
ond Information message after the routing In- 
formation is added to the second information 
message. 

30 2. The method of Item 1 , wherein the header in the first 
message identifies a destination for the first mes- 
sage. 

3. The method of Item 1 or 2, further comprising send- 
35 big the transmission frame to the destination ac- 
cording to said routing information. 

4. The method of any of items 1 to 3, wherein the first 
data is classified at a first security level and the sec- 

40 ond data Is classified at a second security level dif- 
ferent from the first security level. 

5. The method of Item 4, wherein the first security level 
is a security level designated for information to 

45 which access Is restricted and the second security 
level is a security level designated for information 
to which access is not restricted. 

6. The method of any of items 1 to 5, wherein the sec- 
so ond data is a predetermined pattern of characters. 

7. A method of routing a data message containing 
confidential information, the method comprising: 

55 substituting dummy information for the confi- 

dential Information in the message; 
sending the message with the dummy Informa- 
tion to a router for adding routing information to 
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the message; and 

outputting the confidential information for sub- 
stftution with the dummy Information after the 
routing information is added to the message. 

6. The method of item 7, further comprising sending 
the message with the confidential information sub* 
stituted for the dummy information to a destination 
node indicated by the routing information. 

9. A computer program product directly loadable into 
the internal memory of a (digital) computer, the 
computer program product for controlling a compu- 
terized device to route a data message containing 
confidential Information when said computer pro- 
gram product is run on a computer, the computer 
program product comprising: 

program code for substituting dummy informa- 
tion for the confidential Information in the mes- 
sage; 

program code for sending the message with the 
dummy information to a router for adding rout- 
ing Information to the message; and 
program code for outputting the confidential in- 
formation for substitution with the dummy infor- 
mation after the routing Information Is added to 
the message. 

10. The computer program product of item 9, further 
comprising program code for sending the message 
with the confidential Information substituted tor the 
dummy Information to a destination node indicated 
by the routing information. 

11 . A trusted guard apparatus for sending a data mes- 
sage to a router, the data message having informa- 
tion classified at a first security level, the apparatus 
comprising: 

a source authentication unit configured to re- 
ceive the data message containing the Informa- 
tion classified at the first security level, and to 
add to the data message source information 
concerning the source of the data message; 
a data integrity unit coupled to the source au- 
thentication unit and configured to transform 
the information classified at the first security 
level to include information for determining the 
integrity of the information classified at the first 
security level; and 

a data substitution unit coupled to the source 
authentication unit and configured to generate 
a dummy data message by substituting dummy 
data for the information classified at the first se- 
curity level, and outputting the dummy data 
message to the router. 



12. The trusted guard apparatus of item 11 , wherein in- 
formation classified at the first security level Is con- 
fidential information and the dummy data Is non- 
confidential information. 

5 

13. The trusted guard apparatus of item 11 or 12, 
wherein the data integrity unit transforms the infor- 
mation classified at the first security level by apply- 
ing a digital signature to said information. 

10 

14. The trusted guard apparatus of any of items 11 to 

13, wherein the information concerning the source 
of the data message added by the source authen- 
tication unit is a label identifying the source of the 
data message. 

15. The trusted guard apparatus of any of items 11 to 

14, further comprising a compression unit coupled 
to the source authentication unit and configured to 

so compress the information classified at the first se- 
curity level. 

1 6. The trusted guard apparatus of item 1 5, wherein the 
compression unit is configured to compress the la- 

2S beled data by applying a secure hashing algorithm 
to the Information classified at the first security level. 

17. A trusted guard apparatus for sending a data mes- 
sage to a router, the data message having informa- 

3o tion classified at a first security level, the apparatus 
comprising: 

a source authentication unit configured to re- 
ceive the data message containing the informa- 

35 tion classified at the first security level, and to 

add to the data message source information 
concerning the source of the data message; 
a data integrity unit coupled to the source au- 
thentication una and configured to transform 

40 the information classified at the first security 

level to include information for determining the 
Integrity of the information classified at the first 
security level; and 

means for generating a dummy data message 
45 by substituting dummy data for the information 

classified at the first security level, and output- 
ting the dummy data message to the router. 

1 8. The trusted guard apparatus of item 1 7, wherein in- 
so formation classified at the first security level is con- 
fidential information and the dummy data is non- 
confidential information. 

19. The trusted guard apparatus of item 17 or 18, 
55 wherein the data integrity unit transforms the Infor- 
mation classified at the first security level by apply- 
ing a digital signature to said information. 
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20. The trusted guard apparatus of any of items 17 to 
19, wherein the Information concerning the source 
of the data message added by the source authen- 
tication unit is a label Identifying the source of the 
data message. 

21. The trusted guard apparatus any of items 17 to 20, 
further comprising a compression unit coupled to 
the source authentication unit and configured to 
compress the information classified at the first se- 
curity level. 

22. The trusted guard apparatus of item 21 , wherein the 
compression unit is configured to compress the la- 
beled data by applying a secure hashing algorithm 
to the Information classffied at the first security level. 

23. A transmission frame for delivering confidential da- 
ta to a destination node, comprising: 

a dummy data field containing dummy data 
classified at a first security level, substituted for 
confidential data classified at a second security 
level different from the first security level; 
a message header field containing information 
identifying the destination node; 
a routing field containing routing information for 
use in routing the transmission frame to the 
destination node. 

24. The transmission frame of item 23, wherein access 
to data classified at the first security level is restrict- 
ed, and access to data classified at the second se- 
curity level is unrestricted. 

25. A method of generating a transmission frame for 
routing a message containing confidential data to a 
destination node, the method comprising: 

receiving a dummy data message containing 
routing information specifying a route to the 
destination node, and dummy data substituted 
. for the confidential data; 
receiving the confidential data separately from 
the dummy data message; and 
substituting the confidential data for the dummy 
data in the dummy data message thereby gen- 
erating the transmission frame. 

26. The method of item 25, wherein the confidential da- 
ta Is classified at a security level at which access is 
restricted, and the dummy data is classified at a se- 
curity level at which access is not restricted. 

27. A trusted guard apparatus for routing a data mes- 
sage to a destination node, the data message in- 
cluding confidential information, the apparatus 
comprising: 



a dummy message receiving unft coupled to a 
router and configured to receive from the router 
a dummy message containing dummy data and 
routing Information for routing the dummy data 

9 message to a destination node; 

a confidential data receiving unit coupled to a 
trusted guard unit and configured to receive 
from the trusted guard unit the confidential data 
to be routed to the destination node; and 

10 a message reconstruction unit connected to the 
dummy data message and confidential data re- 
ceiving units, wherein in response to receiving 
the dummy data message and the confidential 
data the message reconstruction unit gener- 
is ates an output message containing the routing 

information and the confidential data. 

28. The trusted guard apparatus of item 27, further 
comprising an output unit configured to send the 

20 output message to the destination node based on 
the routing Information. 

29. A trusted guard apparatus for routing a data mes- 
sage to a destination node, the data message rn- 

25 eluding confidential Information, the apparatus 
comprising: 

means for receiving from a router a dummy 
message containing dummy data and routing 

30 information for routing the dummy data mes- 

sage to a destination node; 
means for receiving from the trusted guard unit 
the confidential data to be routed to the desti- 
nation node; and 

35 means for substituting confidential data for the 

dummy data in the dummy data message 
thereby generating an output message contain- 
ing the routing information, the confidential da- 
ta. 

40 

30. The trusted guard apparatus of item 29, further 
comprising means for sending the output message 
to the destination node based on the routing infor- 
mation. 

45 



50 
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